HOT TOPICS:

Target exploring slow response to hackers, exec tells Senate

By Renee Dudley and Michael RileyBloomberg News

Posted:
03/26/2014 12:01:00 AM CDT

Updated:
03/26/2014 07:39:17 PM CDT

John Mulligan, executive vice president and chief financial officer of Target Corp., right; Wallace Loh, president of the University of Maryland, and Edith Ramirez, chairwoman of the U.S. Federal Trade Commission, testify Wednesday before the Senate Commerce Committee on Capitol Hill. (Bloomberg/Andrew Harrer)

A Target executive told lawmakers Wednesday that the company had clues about a holiday season data breach that affected millions of customers weeks before responding, and is still exploring why it took so long to react.

Sometime after intruders entered Target's systems on Nov. 12, their activities were detected and evaluated by security professionals, according to Chief Financial Officer John Mulligan, testifying before a U.S. Senate panel in Washington. The company was later alerted to suspicious activity by the U.S. Justice Department, leading to an internal investigation that confirmed a breach on Dec. 15.

"We are asking hard questions about whether we could have taken different actions before the breach was discovered that would've resulted in different outcomes," Mulligan told the panel Wednesday. "In particular, we are focused on what information we had that could have alerted us to the breach earlier; whether we had the right personnel in the right positions; and ensuring that decisions related to operational and security matters were sound."

The testimony follows a report by Bloomberg Businessweek that found Target ignored warnings from its hacker-detection tools, leading to a breach that compromised 40 million credit card numbers -- along with 70 million addresses, phone numbers and other pieces of personal information.

"We are still investigating how the intruders were able to move through the system using higher-level credentials to ultimately place malware on Target's point-of-sale registers," Mulligan said.

Advertisement

"The malware appears to have been designed to capture payment card data from the magnetic strip of credit and debit cards prior to encryption within our system."

The Senate Committee on Commerce, Science and Transportation, which prepared a report ahead of the hearing, found that Minneapolis-based Target appeared to have missed opportunities "to stop the attackers and prevent the massive data breach."

-- Cyberthieves first infiltrated Target's network with credentials from an outside contractor, then "appear to have successfully moved from less sensitive areas of Target's network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets."

-- Target "appears to have failed to respond to multiple automated warnings from the company's anti-intrusion software that the attackers were installing malware on Target's system."

-- Target also "appears to have failed to respond to multiple warnings from the company's anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target's network."

Several senators on the panel criticized Target's management for not reacting sooner to warnings from sophisticated anti-hacking systems.

"Here, to be quite blunt, there were multiple warnings," said Sen. Richard Blumenthal, D-Conn. "Maybe because of lack of training, perhaps simply a sense of confidence and complacence. And that has created enormous cost."

Since Target collects detailed information on its customers, it needs to do everything possible to protect that data from identity thieves, said Sen. Jay Rockefeller, D-W.Va., who serves as chairman of the committee. "It is now well known that Target fell far short of doing this."

After the attack became public in December, during the height of the holiday shopping season, it harmed Target's reputation and fourth-quarter sales.